The entry into force of the GDPR earlier than the proposed ePrivacy Regulation has challenged companies with respect to their cookie policies and their implementation.
Companies should take a closer look at the CNIL recommendations, as the end of the transition period is only a few months away, and then the CNIL will start enforcing its new cookies rules. Although the practical recommendations are officially “non-binding”, considering the short timeframe, they are likely to be seen as the best option available to companies looking to ensure both the compliance of their websites and the efficient management of website traffic.
These clear requirements answer the main issue raised by companies regarding the status of implied consent: it is now established that silence or inaction resulting from continuous browsing on a website no longer constitutes valid consent.
Furthermore, the soft “opt-in” of having a pre-ticked box does not constitute valid consent either.
With respect to the requirement for “informed consent”, the CNIL makes no reference to cookie banners, but points out that consent must be given with a full understanding of the consequences of this decision. Therefore, it is the responsibility of companies to draft comprehensive and legible information, and to communicate it to users before obtaining their consent. In that respect, the CNIL recommends that the information communicated should include certain details, including an exhaustive list of the entities using cookies and their respective roles as well as the purposes of the cookies.
Unlike the ICO, the CNIL has given details of its approach to specific consent: the user should be able to give their consent to each of the different purposes for using cookies, as opposed to giving their global consent, unless they are made aware of all the purposes for which the cookies are used when first visiting the website.
In practical terms, the CNIL permits companies to create adaptable templates that allow users to give their consent to the use of each cookie for a specific purpose. This is in line with the CNIL’s decision, affirmed by the French Administrative Supreme Court (Conseil d’Etat) on 6 June 2018 (n°412589), that browser settings do not allow users to give valid consent, to the extent that trackers cannot be distinguished according to their purpose.